Friendly forums for passionate Dems!
More than 94 million posts since 2001
Home Latest Greatest Videos Forums Hide ads Join up!
Home Latest Greatest
Videos Forums Help
Hide ads Join up!
Latest Discussions»General Discussion»While you have been distr...
Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

General Discussion

Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region Forums

ffr

(23,416 posts) Thu Apr 9, 2026, 04:28 PM 14 hrs ago

While you have been distracted by political squabbling about Iran, Russian state sponsored cyber

crime organizations have been attacking home Internet routers, gaining access to and redirecting Internet DNS requests through their global web of hosting services.

APT28 exploit routers to enable DNS hijacking operations

Russian cyber actor APT28 exploit vulnerable routers to hijack DNS, enabling adversary‑in‑the‑middle attacks and theft of passwords and authentication tokens.

Russian cyber actors APT28 have been exploiting routers to overwrite Dynamic Host Configuration Protocol (DHCP)/Domain Name System (DNS) settings to redirect traffic through attacker-controlled DNS servers. Resulting malicious DNS resolutions enable adversary-in-the-middle (AitM) attacks that harvest passwords, OAuth tokens and other credentials for web and email related services. This puts organisations at risk of credential theft, data manipulation and broader compromise.

The DNS hijacking operations are believed to be opportunistic in nature, with the actor targeting a wide pool of victims and then likely filtering down for users of potential intelligence value at each stage of the exploitation chain. - National Cyber Security Centre - UK


Mitigation
* - Never allow your Internet router management interface to be accessible from its WAN port, only the LAN port.
* - Update your router's firmware or retire SoHo equipment that is no longer supported.
* - Update and patch equipment operating systems and software.
* - Whenever possible, take advantage of two-factor/multi-factor authentication for Web sites you use.

Updating your home router's firmware is fairly simple. Use a PC or a specific cellphone APP to accomplish this operation. If you can login to your router's management interface (like https:192.168.1.1), there will be an administrative area where you can update the router directly. If not, find the make/model of your router, go to the manufacturer's Support Web site, find your model and it's current firmware update, download the update and follow the online Support instructions on how to best update your SoHo router.

TP-Link routers, specifically, are currently being targeted.

Interestingly, I did additional Geo-lookups on the DNS servers the article shows are perpetrating traffic redirection (see article above) and there was a recurring pattern. On a technical level, there were a handful of ISPs the Russian's were coordinating with.
Hydra Communications - AS25369 out of the UK
LeaseWeb - AS59253 & AS396362 out of Singapore and NY, USA
HZ Hosting - AS202015 & AS59711 out of Bulgaria, Sweden, and TX, USA
EstNOC - AS206804 out of Estonia and Poland

but also,
Nexeon Tech - AS20278 TX, USA
Alexhost - AS200019 Bulgaria
Belcloud - AS44901 Bulgaria
Zubritska - AS207560 Kyiv, Ukraine
0 replies, 266 views
Latest Discussions»General Discussion»While you have been distr...
Home | Latest Discussions | Greatest Discussions | Latest Videos | All Forums

About | Copyright | Privacy | Terms of service | Contact

In Memoriam

© 2001 - 2026 Democratic Underground, LLC. Thank you for visiting.